Database Reference
In-Depth Information
The file dsec.bsq is called every time that a new database is created by the DBCA. Therefore, if an attacker had
gained temporary access, but wanted to persist and increase the scope of their access—making it hands-free, so to
speak—then modifying the content of this dsec.bsq would do just that.
dsec.bsq is an interesting file to read. Following is a snippet taken from that file:
create user sys identified by "D_SYSPW"
/
grant inherit any privileges to sys
/
create role public enable editions for synonym
/
First, we can see the default password being specified for SYS. This is changed by the installer to a value that the
user enters—but until the user enters that value the above password is in effect.
In desc.bsq we can see the answer to a question that has foxed a few people in the past: Is public a role, a user, or
a user group? Well, it looks here like it's a role.
The point is that dsec.bsq needs to be state-checked as part of our rootkit detection process in case someone
inserts a sequence of statements such as the following:
create user hacker or
grant dba to hacker
You can use the md5sum command to generate a checksum. For example:
root@orlin $ md5sum /home/oracle/app/oracle2/product/12.1.0/dbhome_2/rdbms/admin/dsec.bsq
f269d24fc1f464e6db2aa2a1a8c18114
Save the checksum. Recompute it periodically and check to be sure that the recomputed values do not vary from
the original that you have saved.
The Seed Database
The 12c enactment of a self-replicating backdoor is done through the seed database, which acts as a template for all
future PDB container databases when instantiated using this command:
CREATE PLUGGABLE DATABASE salespdb ADMIN USER salesadm IDENTIFIED BY password ROLES=(DBA);
Any default accounts, or backdoor accounts, will be propagated “as is” from the seed, so it is well worth checking
beforehand that the seed database meets with the corporate compliance standards.
If your 12c installation is using containers, then you can change your current database to the seed in order to
check that the configuration of the seed is set to the appropriate security standards of your organization.
You can't see the seed database from the dba_services view. In the following example, the seed does not show:
SYS@orcl3>select name, pdb from dba_services;
 
Search WWH ::




Custom Search